IBM Tivoli Monitoring > Version 6.3 Fix Pack 2 > Administrator's Guide > Securing communications > Configure TLS/SSL communication with the Authorization Policy Server

IBM Tivoli Monitoring, Version 6.3 Fix Pack 2

---

Use third party certificates to configure TLS/SSL for the Authorization Policy Server

You can use third party certificates to configure TLS/SSL for the Authorization Policy Server.

Many of the steps below require you to be logged in to the WebSphere Administrative Console for the Authorization Policy Server and Dashboard Application Services Hub. Use the following steps to log into the console:

1. Enter the following URL in your Internet Explorer or Firefox browser: https://hostname:16311/ibm/console.

   If your environment was configured with a port number other than the default, enter that number instead. The default path to the server is /ibm/console. However, this path is configurable, and might differ from the default in your environment.

2. Enter the Dashboard Application Services Hub administrative user ID and password then click Go.

   The user ID must be assigned the administrator and iscadmins roles.

3. In the Console Settings area click on WebSphere Administrative Console and then click the Launch WebSphere administrative console button.

Procedure

• Add the certificate authority public signer certificate to the WebSphere Application Server trust store.

  1. Select Security → SSL certificate and key management.

  2. In the Related Items area, click the Key stores and certificates link and in the table click the NodeDefaultTrustStore link.

  3. In the Additional Properties area, click the Signer certificates link and in the page that is displayed, click Add.

  4. In the page that is displayed specify the following information:

     • Set Alias to the desired label for the certificate. For example, Authorization Policy Server Signer Certificate.

     • Set File name to the location of the certificate authority signer certificate. For example, C:\policyauthcerts\CASignerCert.arm.

     • Leave the Data type as Base64-encoded ASCII data.

  5. Click OK, then Save.

  The certificate authority public signer certificate can now be distributed to the portal server and tivcmd CLI computers for importing.

• Create a private certificate request to be signed by the certificate authority.

  1. Select Security → SSL certificate and key management.

  2. In the Related Items area, click the Key stores and certificates link and in the table click the NodeDefaultKeyStore link.

  3. In the Additional Properties area, click the Personal certificate requests link and in the page that is displayed, click New.

  4. In the page that is displayed specify the following information:

     • Set File name to the location to store the private certificate request. For example, C:\policyauthcerts\PolicyAuthServerCertRequest.arm.

     • Set the Key label to the desired label for the certificate. For example, Authorization Policy Server Certificate.

     • Leave the Signature algorithm as SHA1withRSA.

     • Set the Key size to 2048.

     • Set the Common name to a unique name for the Authorization Policy Server. Typically, this is a computer name.

     • Set Organization to a meaningful value. Typically, this is a company name.

     • Set Organization unit to a meaningful name. For example, PolicyAuth.

     • Set Country or region to desired value. For example, US.

  5. Click OK, then Save.

  Send the certificate request generated above to the certificate authority to request a new digital certificate. The certificate authority can take two to three weeks to generate the new digital certificate.

  After the certificate authority returns your new digital certificate, save it to a location on the Authorization Policy Server computer. For example, C:\policyauthcerts\PolicyAuthServerSignedCert.arm.

• Receive the signed digital certificate using the WebSphere Administrative Console.

  1. Select Security → SSL certificate and key management.

  2. In the Related Items area, click the Key stores and certificates link and in the table click the NodeDefaultKeyStore link.

  3. In the Additional Properties area, click the Personal certificates link and in the page that is displayed, click Receive from a certificate authority.

  4. In the page that is displayed specify the following information:

     • Set File name to the location of the signed digital certificate. For example, C:\policyauthcerts\PolicyAuthServerSignedCert.arm.

     • Leave the Data type as Base64-encoded ASCII data.

  5. Click OK, then Save.

• Set the new private certificate as the default server certificate.

  1. Select Security → SSL certificate and key management.

  2. In the Related Items area, click the SSL configurations link and in the table click the NodeDefaultSSLSettings link.

  3. In the page that is displayed, click Default server certificate alias and choose the signed Authorization Policy Server certificate. For example, Authorization Policy Server Certificate.

  4. Click OK, then Save.

  5. Select Security → SSL certificate and key management again.

  6. Click on the Manage endpoint security configurations link.

  7. Click on the node name link under Inbound → thecellname → nodes.

  8. Click Certificate alias in key store and choose the signed Authorization Policy Server certificate. For example, Authorization Policy Server Certificate.

  9. Click OK, then Save.

Parent topic:

Configure TLS/SSL communication with the Authorization Policy Server

---

+

Search Tips   |   Advanced Search